Article

What is regulatory compliance?

Compliance
Time to read: 15 minutes

Regulatory compliance is an organization’s adherence to laws, regulations, standards, guidelines, and specifications set forth by governments, agencies, trade groups, and other bodies. Generally, regulations that drive compliance are implemented to protect someone or something (e.g., employees, consumers, the public, the environment). Regulatory compliance aims to ensure that organizations stay within the bounds of acceptable practices to ensure the safety and security of any people or entities with which they interact.

Regulatory compliance applies to a wide range of organizations and industries worldwide. Nearly every organization must adhere to some regulations. Data privacy is one of the most ubiquitous compliance rules enforced across industries and by most countries.

Regulatory compliance in the United States

In the United States, many laws and regulations are in place to protect employees, the public, and other stakeholders from negligence and fraud. These include laws and industry standards that mandate compliance. Significant agencies, groups, and mandates that drive regulatory compliance include the following.

Government agencies including:

  1. Civil Rights Center with Federal Department of Labor
  2. Employee Benefits Security Administration (EBSA)
  3. Employment and Training Administration of Federal Department of Labor
  4. Environmental Protection Agency (EPA)
  5. Equal Employment Opportunity Commission (EEOC)
  6. Federal Financial Institutions Examination Council (FFIEC)
  7. Federal Trade Commission (FTC)
  8. Food and Drug Administration (FDA)
  9. Occupational Safety and Health Administration (OSHA)
  10. Small Business Administration (SBA)
  11. U.S. Office of Foreign Assets Control (OFAC)
  12. U.S. Securities and Exchange Commission (SEC)
  13. United States Sentencing Commission

Non-governmental entities that maintain and enforce regulatory compliance include:

  1. American Society of Mechanical Engineers (ASME)
  2. Financial Industry Regulatory Authority (FINRA)
  3. Payment Card Industry (PCI) Standards Security Council
  4. Public Company Accounting Oversight Board (PCAOB)

Standards that guide regulatory compliance in the United States include:

  1. Control Objectives for Information Technologies (COBIT) framework
  2. Organization for Standardization (ISO)
  3. National Institute of Standards and Technology (NIST) standards
  4. U.S. Department of Defense (DoD)
  5. Cybersecurity Maturity Model Certification (CMMC) International

Tens of thousands of laws and regulations set regulatory compliance requirements for organizations.

Examples of mandates in several key industries include the following.

Civil rights-related regulatory compliance examples

  1. Age Discrimination Act
  2. Americans with Disabilities Act
  3. Civil Rights Act
  4. Congressional Accountability Act
  5. Equal Credit Opportunity
  6. Equal Educational Opportunities Act
  7. Fair Housing Act
  8. Genetic Information Nondiscrimination Act
  9. Rehabilitation Act
  10. Title IX
  11. Uniformed Services Employment and Reemployment Rights Act
  12. Voting Rights Act

Employment and workplace-related regulatory compliance examples

  1. Equal Pay Act
  2. Fair Labor Standards Act (FLSA)
  3. Family and Medical Leave Act (FMLA)
  4. Federal Workers’ Compensation Act
  5. Uniformed Services Employment and Reemployment Rights Act (USERRA)
  6. Worker Adjustment and Retraining Notification Act (WARN)
  7. Workers’ Compensation Laws

Environmental-related regulatory compliance examples

  1. Atomic Energy Act (AEA)
  2. Beaches Environmental Assessment and Coastal Health (BEACH) Act
  3. Chemical Safety Information, Site Security and Fuels Regulatory Relief Act
  4. Clean Air Act (CAA)
  5. Clean Water Act
  6. Toxic Substances Control Act

Financial-related regulatory compliance examples

  1. Dodd-Frank Act
  2. Payment Card Industry Data Security Standard (PCI DSS)
  3. Sarbanes-Oxley Act (SOX)
  4. Gramm–Leach–Bliley Act (GLBA)
  5. Fair Credit Reporting Act
  6. Sherman Act
  7. Securities Exchange Act
  8. Securities Act of 1933
  9. Bank Secrecy Act (BSA)

Healthcare-related regulatory compliance examples

  1. Anti-Kickback Statute (AKBS)
  2. Emergency Medical Treatment and Labor Act (EMTALA)
  3. Health Information Technology for Economic and Clinical Health (HITECH) Act
  4. Health Insurance Portability and Accountability Act (HIPAA)
  5. Occupational Safety and Health Act
  6. Patient Safety and Quality Improvement Act (PSQIA)

Privacy and data security-related regulatory compliance examples

  1. California Consumer Privacy Act of 2018 (CCPA)
  2. Colorado Privacy Act
  3. Connecticut Personal Data Privacy and Online Monitoring Act
  4. Federal Information Security Management Act (FISMA)
  5. Maryland Online Consumer Protection Act
  6. Massachusetts Data Privacy Law
  7. New York Privacy Act
  8. Utah Consumer Privacy Act
  9. Virginia Consumer Data Protection Act

Regulatory compliance in the E.U. and Other Regions

Regulations vary by country and region, but most have enacted laws similar to those in the United States. Organizations that engage with citizens of other countries must comply with requirements in those regions.

The European Union’s (E.U.) General Data Protection Regulation (GDPR) is a particularly stringent example. The GDPR applies to any organization that collects data from E.U. citizens, regardless of where the organization is located. It also applies to data about non-EU citizens who are residents in an E.U. country.

Why regulatory compliance is important

Compliance requirements continue to grow as more governments and other groups refine existing rules and add new ones to address growing threats, many of which are brought on by advancing technology. The processes and strategies derived from regulatory compliance ensure that an organization operates according to all applicable laws and regulations.

A byproduct of regulatory compliance is helping organizations uplevel operations. Audit reports related to compliance requirements demonstrate an organization’s commitment to following rules and ensuring the well-being of those with whom it conducts business.

Regulatory compliance bolsters organizations’ reputations by increasing confidence and building trust.

Compliance requirements also promote safety and reduce risk in many sectors. Rules created to address industry-specific risks to people and the environment have made a material difference. Employees, consumers, and the environment benefit from protections that have reduced the chances of workplace accidents, injuries, and fatalities and protect the public from harmful or fraudulent products and practices.

In some cases, the importance of regulatory compliance is as simple as allowing an organization to operate. Some requirements must be in place for operations to run legally. Failure to adhere to regulatory compliance requirements can result in an organization being fined or even closed down.

Benefits of regulatory compliance

Organizations realize many benefits when they achieve and demonstrate regulatory compliance. The following are several of the commonly cited benefits in the short term and over an extended time.

Avoiding unnecessary and costly legal issues
Implementing and maintaining compliance programs helps organizations avoid costly and time-consuming legal issues that result from non-compliance. This is because regulatory compliance policies put frameworks in place to meet all necessary obligations.

Enhanced operational efficiency, increased productivity, and reduced costs
Operational efficiency is a well-documented byproduct of adhering to regulatory compliance. Due to the requirements to achieve compliance, robust and clear processes and systems must be implemented. In addition to supporting compliance requirements, these result in streamlined procedures and processes that optimize operations, increase productivity, and reduce costs.

Greater resilience and business continuity
Compliant organizations are more resilient to changing regulations, as they already have systems in place to meet regulatory demands. This helps organizations plan better for future change, enabling greater business continuity.

Higher employee productivity and retention 
By supporting prioritization of workplace safety and equity, regulatory compliance has the residual effect of increasing employee satisfaction, which leads to enhanced productivity and reduced employee turnover rates.

Improved market health
A lesser-considered benefit of regulatory compliance is eliminating monopolies that can hinder competition and result in unhealthy markets. Regulations often drive fair practices that give all organizations a chance to succeed and encourage innovation.

Increased equity and safety in the workplace
Regulatory compliance requires the implementation of rules that aim to eliminate discrimination and harassment in the workplace. In addition, compliance requires enforcing strict safety standards and protocols that prevent accidents and damage to people and infrastructure. In these ways, regulatory compliance can foster a work environment that boosts productivity, efficiency, and overall satisfaction.

Positive reputation
Adhering to compliance obligations can enhance trust in organizations across their industries, employees, customers, and the public. This is because demonstrating compliance shows a commitment to high professional and ethical standards. Organizations that maintain regulatory compliance often realize increased brand value and stakeholder confidence.

Consequences of non-compliance

Failure to meet regulatory compliance obligations puts organizations at risk of non-compliance penalties, such as sanctions and fines. The specific penalties vary by the regulation, but the following are several broad categories that provide an overview of what can happen due to violations.

Financial penalties
Failing to meet regulatory compliance obligations can result in expensive fines. For instance, in the United States, HIPAA’s requirements related to a data breach base fines on the severity of the incident. In the European Union (E.U.), GDPR has two tiers of penalties, each with significant financial obligations for non-compliant organizations.

Impact on organizations’ operations
Compliance violations can result in a reduction in productivity as organizations grapple with fines and other penalties. In extreme cases, organizations can lose contracts, licenses, or authorization due to non-compliance.

For instance, the industry regulation PCI DSS (Payment Card Industry Data Security Standard) can disallow the use of members’ credit card payment networks. Examples in government are FedRAMP (Federal Risk and Authorization Management Program) and CMMC (Cybersecurity Maturity Model Certification), which can cause organizations to lose certifications for non-compliance, resulting in their inability to operate.

Legal liability
In cases where failure to meet regulatory compliance requirements results in severe harm to individuals or an organization, there could be legal implications. HIPAA and GDPR exemplify the serious nature of legal liabilities.

HIPAA has several tiers of penalties, including jail time for severe breaches or fraud. GDPR violations can also expose leaders to jail time. Needless to say, the legal expenses for defense are exorbitant.

Reputational damage 
While fines are painful, the damage to brands and reputations from regulatory non-compliance is far more problematic.

When failure to meet compliance requirements results in an incident, especially when it violates a law, the public can be unforgiving.

Organizations risk losing market share and revenue when the public’s trust is lost due to a noncompliance-related issue.

Regulatory compliance policies

A regulatory compliance policy establishes a framework for meeting related obligations. It also details the systems, processes, and procedures for implementing, maintaining, and reporting associated with all compliance controls.

A regulatory compliance policy should include:

  1. Guiding principles that direct all of the decisions and actions related to compliance
  2. Specific systems, functions, and procedures necessary to ensure compliance
  3. Details about which authorities will conduct audits
  4. Definition of roles or functions for monitoring and reviewing status
  5. Documentation and communication protocols related to regulatory compliance
  6. Outline of applicable compliance requirements

While specifics vary by organization, questions to consider when formulating a regulatory compliance policy include:

  1. How will the policy be used to decrease risk, foster communication, and educate stakeholders?
  2. To whom does the policy apply, and in what capacity?
  3. Are there exceptions or limitations to how the policy will be used?
  4. What is the impact of regulatory compliance on the organization?
  5. How will compliance duties be balanced among different teams in the organization (e.g., legal, auditing, finance)?
  6. How can the policy foster compliance across different teams and locations?
  7. What systems will monitor, manage, and report on compliance?
  8. How can the policy help measure the value of regulatory compliance, including in employee performance evaluations?

Regulatory compliance policies are important for organizations to implement because they enable clear communications with employees, partners, and regulators about how compliance is achieved.

In many cases, anyone who falls under the jurisdiction of regulatory compliance requirements must acknowledge that they have read and understand the policies.

Roles in regulatory compliance

Creating roles dedicated to regulatory compliance helps organizations navigate and adhere to stringent, complex mandates and laws. Since compliance enforcers are unjustly prone to disparagement by others in the organization, it is important for leadership to educate team members about the critical role that they play. Positioning regulatory compliance staff as partners helps others view them in a more positive light.

With the increase in regulations, many organizations have created positions that focus on ensuring rules are followed, such as compliance officers, analysts, and specialists.

Regulatory compliance management functions cover a number of areas, including:

Advisory
Regulatory compliance roles help organizations adhere to rules and regulations by providing oversight and advising on necessary modifications to systems or processes. In addition, when issues arise, advisors provide knowledge and expertise to assure swift and effective remediation. Compliance team members also advise on preparing for and providing audit documentation.

Data classification
An important function of regulatory compliance staff is to support data governance, specifically, classification. Accurately classifying stored data allows compliance requirements to be met more easily and audits to be conducted more quickly and smoothly.

Monitoring
Regulatory compliance teams help organizations stay on top of new and changing rules. With new regulations continuing to be issued, it is important to have a team focused on how they impact the organization and taking steps to ensure that any necessary changes or updates are made.

Prevention
Avoiding missteps concerning compliance prevents not just penalties, but disruptions to operations. Regulatory compliance teams create and implement programs that keep organizations from trouble caused by failures to comply with the many rules and reduce overall risk.

Resolution
In the unfortunate event of a breach in regulatory compliance controls, a swift response is required. Addressing issues in a timely manner minimizes damage and can mitigate disruption, damage, and penalties.

Responsibility
Having team members focused on regulatory compliance places responsibility on a person or team. Being responsible for compliance allows teams or individuals to take the time needed to develop a deep understanding of the rules and how they affect the enterprise. This includes helping other departments do their part to ensure compliance and keeping them up to date on revisions to existing rules or new ones.

Regulatory compliance best practices

To meet regulatory compliance requirements, organizations must understand which laws and regulations apply to them. Since many regulations have an extended reach, especially those originating outside of the United States (e.g., GDPR), this requires a deep knowledge of the organization’s responsibilities.

Best practices to consider when evaluating how to meet compliance requirements include the following.

Assign roles to individuals in relevant departments to support compliance maintenance, reporting, and auditing.

Determine requirements for regulatory compliance across applicable mandates and develop plans to ensure adherence.

Develop and maintain a code of conduct to inculcate a culture of compliance throughout the organization.

Document compliance processes, with explicit instructions for maintaining compliance, to ensure that all rules are followed and that the organization is prepared for audits.

Identify applicable regulations to determine which rules apply to the organization based on its geographic footprint, industry, and operations.

Monitor changes in regulatory compliance requirements continuously to learn about updates that may apply to the organization.

Schedule regular training to keep staff and others up to speed on requirements and how best to maintain compliance.

Regulatory compliance seeks the greater good

While regulatory compliance is sometimes seen as a burden, it supports the greater good of the enterprise as well as society. As requirements continue to expand worldwide, there is an effort to align them to create a degree of standardization.

For individuals, the result of these compliance requirements is in their favor, because the least common denominator pushes organizations to adhere to the strictest standards as a baseline. This delivers benefits that range from safer products and better environmental controls to enhanced data privacy and protection against fraud.

For organizations, regulatory compliance provides a consistent set of rules that applies to everyone, creating a level playing field in terms of rules.

Take control of your cloud platform.

Learn more about SailPoint Identity Security.

Mark and Sumit

S1 : E2

Identity Matters with Sumit Dhawan, Proofpoint CEO

Join Mark McClain and Sumit Dhawan to understand the future of cybersecurity and how security teams can support CISO customers in the midst of uncertainty.

Play podcast
Mark and Ron

S1 : E1

Identity Matters with Ron Green, cybersecurity fellow at Mastercard

Join Mark McClain and Ron Green to understand the future of cybersecurity and the critical role identity security plays in safeguarding our digital world.

Play podcast
Dynamic Access Roles

Dynamic Access Roles

Build the next generation role and access model with dramatically fewer role and flexibility

View the solution brief